Active Exploitation of Drupal Core SQL Injection (CVE‑2026‑9082) Threatens Web Applications
What It Is — A critical SQL‑injection flaw in Drupal Core (CVE‑2026‑9082) permits an unauthenticated attacker to execute arbitrary database commands, potentially leading to data theft, site defacement, or full system takeover. CISA has verified active exploitation and added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Exploitability — Exploits are observed in the wild; proof‑of‑concept code circulates on underground forums. The CVSS base score is 9.8 (Critical), reflecting remote code execution and data‑exfiltration potential.
Affected Products — Drupal Core versions 9.0.0‑9.5.12 and 10.0.0‑10.2.5 are vulnerable. Any organization that runs a Drupal‑based website—public portals, intranets, SaaS applications, or hosted CMS services—is at risk.
TPRM Impact — Third‑party risk managers must treat any vendor that supplies, hosts, or integrates Drupal sites as a high‑risk supplier. A compromised Drupal instance can expose downstream customer data, disrupt business operations, and trigger regulatory breach‑notification obligations.
Recommended Actions —
- Inventory all third‑party and internal Drupal deployments and confirm version numbers.
- Apply the official Drupal security patch (released 2026‑05‑15) within 30 days.
- Run targeted SQL‑injection scans against all Drupal assets.
- Amend contracts to require timely remediation of KEV‑listed vulnerabilities.
- Subscribe to CISA KEV updates for future high‑risk additions.
Source: CISA Advisory – CVE‑2026‑9082